berbew | e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Size

144KB
MD5

bb1a911a828a774329925fe01baf71d0
SHA1

358ce66eac317696a1588e39da376b1e92f9891c
SHA256

e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431
SHA512

6f88ada39447d1e8a1492a543b03c88afa7006304feae445b74e7d9c585a9202fba377bab9f0c49f139a06370567e53a96dda9c33625289b34a5142c61f2ef5e
SSDEEP

3072:WEWzfHse70lDR578wb/zGYJpD9r8XxrYnQg4sI+:WPf17035LbLGyZ6Yu+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiglfm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiiilm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 8 IoCs

pid	Process
2220	Mnakjaoc.exe
2292	Moahdd32.exe
2820	Ndnplk32.exe
2052	Ngafdepl.exe
2032	Nmpkal32.exe
2636	Oiglfm32.exe
1236	Oiiilm32.exe
1240	Ohnemidj.exe

Loads dropped DLL 20 IoCs

pid	Process
1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
2220	Mnakjaoc.exe
2220	Mnakjaoc.exe
2292	Moahdd32.exe
2292	Moahdd32.exe
2820	Ndnplk32.exe
2820	Ndnplk32.exe
2052	Ngafdepl.exe
2052	Ngafdepl.exe
2032	Nmpkal32.exe
2032	Nmpkal32.exe
2636	Oiglfm32.exe
2636	Oiglfm32.exe
1236	Oiiilm32.exe
1236	Oiiilm32.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngafdepl.exe	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Oiglfm32.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Oiiilm32.exe	Oiglfm32.exe
File created	C:\Windows\SysWOW64\Dgcdjk32.dll	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Ngafdepl.exe	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Moahdd32.exe
File created	C:\Windows\SysWOW64\Apeblc32.dll	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpkal32.exe	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Qenpjecb.dll	Oiglfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Mnakjaoc.exe	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
File created	C:\Windows\SysWOW64\Moahdd32.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Nmpkal32.exe	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Idomll32.dll	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Oiglfm32.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Eighpgge.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Oiglfm32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oiiilm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnakjaoc.exe	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
File opened for modification	C:\Windows\SysWOW64\Moahdd32.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Mceodfan.dll	Mnakjaoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2276	1240	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiglfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moahdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngafdepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiglfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll"	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll"	Oiglfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eighpgge.dll"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiglfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnakjaoc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2220	1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe	29
PID 1956 wrote to memory of 2220	1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe	29
PID 1956 wrote to memory of 2220	1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe	29
PID 1956 wrote to memory of 2220	1956	e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe	29
PID 2220 wrote to memory of 2292	2220	Mnakjaoc.exe	30
PID 2220 wrote to memory of 2292	2220	Mnakjaoc.exe	30
PID 2220 wrote to memory of 2292	2220	Mnakjaoc.exe	30
PID 2220 wrote to memory of 2292	2220	Mnakjaoc.exe	30
PID 2292 wrote to memory of 2820	2292	Moahdd32.exe	31
PID 2292 wrote to memory of 2820	2292	Moahdd32.exe	31
PID 2292 wrote to memory of 2820	2292	Moahdd32.exe	31
PID 2292 wrote to memory of 2820	2292	Moahdd32.exe	31
PID 2820 wrote to memory of 2052	2820	Ndnplk32.exe	32
PID 2820 wrote to memory of 2052	2820	Ndnplk32.exe	32
PID 2820 wrote to memory of 2052	2820	Ndnplk32.exe	32
PID 2820 wrote to memory of 2052	2820	Ndnplk32.exe	32
PID 2052 wrote to memory of 2032	2052	Ngafdepl.exe	33
PID 2052 wrote to memory of 2032	2052	Ngafdepl.exe	33
PID 2052 wrote to memory of 2032	2052	Ngafdepl.exe	33
PID 2052 wrote to memory of 2032	2052	Ngafdepl.exe	33
PID 2032 wrote to memory of 2636	2032	Nmpkal32.exe	34
PID 2032 wrote to memory of 2636	2032	Nmpkal32.exe	34
PID 2032 wrote to memory of 2636	2032	Nmpkal32.exe	34
PID 2032 wrote to memory of 2636	2032	Nmpkal32.exe	34
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 2636 wrote to memory of 1236	2636	Oiglfm32.exe	35
PID 1236 wrote to memory of 1240	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 1240	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 1240	1236	Oiiilm32.exe	36
PID 1236 wrote to memory of 1240	1236	Oiiilm32.exe	36
PID 1240 wrote to memory of 2276	1240	Ohnemidj.exe	37
PID 1240 wrote to memory of 2276	1240	Ohnemidj.exe	37
PID 1240 wrote to memory of 2276	1240	Ohnemidj.exe	37
PID 1240 wrote to memory of 2276	1240	Ohnemidj.exe	37

C:\Users\Admin\AppData\Local\Temp\e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe
"C:\Users\Admin\AppData\Local\Temp\e6581493a2e881a56524f1d7e6d482602dc1bf34c8fb6990203cfbeb3f8f1431.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\Mnakjaoc.exe
  C:\Windows\system32\Mnakjaoc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Moahdd32.exe
    C:\Windows\system32\Moahdd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Ndnplk32.exe
      C:\Windows\system32\Ndnplk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Ngafdepl.exe
        
        C:\Windows\system32\Ngafdepl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Oiglfm32.exe
        
        C:\Windows\system32\Oiglfm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Oiiilm32.exe
        
        C:\Windows\system32\Oiiilm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idomll32.dll

Filesize
7KB

MD5
2d83245f173ab90007060e8bb863dcb4

SHA1
914046deaf85540bc084fcd6fa552b064151245f

SHA256
6e4e8ea154826e7024d1a6de31f893ce719a43c9b72386fa682dd3921446c48b

SHA512
4bd7169ddf738e6c275a1ff5723847ee2c786b538a8922cf1722b401bef502be7d7d74a08e7eb3dced631ab6da92ca0146a8f319479557200d3c8e77ab95a67c

Download Submit
C:\Windows\SysWOW64\Moahdd32.exe

Filesize
144KB

MD5
3df394d3397f280efeb532cc982a6567

SHA1
75cf2a42df9b57630c6a17fed8a8733ff7e178ab

SHA256
06b8a95f059050551eb14f1e2893f871389e8c71f9d64faed6a431caf5152435

SHA512
08704de5dbb2a3f67109f7d1f16964a759559065a845b997bb687e54ce24b548ae3afef62b75918730f132fe3043c99e930ef909407964712275912a1021a15e

Download Submit
C:\Windows\SysWOW64\Oiiilm32.exe

Filesize
144KB

MD5
0701a6902d26b7b9bb502b79f97747c2

SHA1
a948ce4d2b34de6ddb61b5353a6e65b103d342ef

SHA256
7a8f4ed697857dd23530588a3790211cc21125eb3a9035f32d5de2b0b4a81791

SHA512
67a2ad35cf354bd6ce46cef309b74000a4c7a46d26f33778bbe4d1a68b3d1aa63f53e030063c7ff696657c55a2a1bc4fb7f7b3aebcdb9ae57f3ac95013c7f382

Download Submit
\Windows\SysWOW64\Mnakjaoc.exe

Filesize
144KB

MD5
37075182b521a02a4007d0f1e755280b

SHA1
5ec52384b3785708729a35527c8d5ee8ccad3bbd

SHA256
86f6bc551487636af8eb58b4a12c8523646799d9b75d7a6028dccf3143ae92ab

SHA512
88262dc5bbf1e63e8a0ad88158f1107ef490db33d6c9e352f7d7224d5e71077186c27a791718a549a33cdcbc140a824dce3bc4d4bb3b5cd7b35ef49fd31ec42c

Download Submit
\Windows\SysWOW64\Ndnplk32.exe

Filesize
144KB

MD5
5fa9ebe8b6c5a44f82f8febf85f58f80

SHA1
ac577aad5bdc841ae4f36ce40536614d0706f1e6

SHA256
c111c49ec7871a7e2dd2f468eec27be061324c8c2fd00653200a37fbfa0d664e

SHA512
04a5746c0e19c4b732652bc46e68a527b50aaa69958ede7a58a47a55bd890bf2bc725800e94cfd7efcc7cee7f001fbd4879660492bd3b92600af2440c15123c4

Download Submit
\Windows\SysWOW64\Ngafdepl.exe

Filesize
144KB

MD5
bd3dac89ea8a92386b8d45b23400ed7f

SHA1
b6775e5b44778dcb6e7fd0d14475f09970d49d63

SHA256
f040c948be968429a51d4352125fd3a45ccda156a4665acfd7e46f6eeb67e800

SHA512
569a5d82fe59c835cc15556b968e4225876bfd00ad1fa3c2abfe2e69f5c5c1ff59e12e8e1c28811bc193c6f80ebd54780c5f902ef69d5fc9cbd5983395a52c17

Download Submit
\Windows\SysWOW64\Nmpkal32.exe

Filesize
144KB

MD5
8dbce4d47fea69199f68ed5a5c1bdaf6

SHA1
1c0c90f4dc2b3520bb397255f20ee6fb497483a7

SHA256
8ac8f87f25ac8fcf61bbe3d39048e367928e644ef543bb83bd61e36826240983

SHA512
90069df33d9a1534cf5094295d893979d78a1698e03b1d26f184195c5d1a48e50581c44579f2892566efd6a9b9f57dc4fc7f90423f9afe17b8418699834c0be8

Download Submit
\Windows\SysWOW64\Ohnemidj.exe

Filesize
144KB

MD5
c312f24eb20816a0fd1a552220aecc29

SHA1
06596b4564abff8de0b971aa18ee10830b865a35

SHA256
edff7e91d2b80f36e67b539281903a3b8a6a685101baaae64c74949a6fa4513a

SHA512
ed503766f754c3a7c58142dd698b2937019dd73b83d681a0d006fc44d10ac965dad87281ede380d7343d97d39ef6126e6e68a6dbb27dffe931c6eeb954e84e09

Download Submit
\Windows\SysWOW64\Oiglfm32.exe

Filesize
144KB

MD5
9e7ff652fe80937d97f166c7855db74e

SHA1
b9f05768ca8d8f563c6eaaf48ec8e710c7b10acd

SHA256
025a41c141882ceda88a431c507ceb0570cc715efe9178c422b419376d722eb3

SHA512
4c4d294f8750d507f8ef9db60f89ce72c0975751bb21785d2ef9b12e631c0bac7815ead0829dbf5f96076b360f35646bd744702eb3c616a9672c01d82ece05ed

Download Submit
memory/1236-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1956-7-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1956-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-26-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2220-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-36-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2636-91-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2636-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads